def verify(self, P, phiP, Q, hat_phiQ):
'''
INPUT:
* P the first point of the protocol
* phiP the image of P
* Q the second point of the protocol
* hat_phiQ dual image of Q
OUTPUT:
* true/false depending on the verification
'''
if not (hat_phiQ.in_curve()
and hat_phiQ.is_prime_order_point(self.curve.N)):
raise RuntimeError(
'evaluation step does not give point of the curve of order N')
# this does not depend on the eval answer, and can be computed before the eval
P_ws = P.weierstrass()
phiP_ws = phiP.weierstrass()
#this needs to be computed here
Q_ws = Q.weierstrass()
hat_phiQ_ws = hat_phiQ.weierstrass()
logging.debug('No denominator computed.')
_Z, mil11 = pairing.miller(hat_phiQ_ws,
P_ws,
ZZ(self.curve.N),
denominator=False)
e1 = pairing.exponentiation(self.curve, mil11[0] / mil11[1])
logging.debug('f_{N, hatphiQ}(P) = %s', str(mil11))
logging.debug('e(hatphiQ, P) = %s', str(e1))
_Z, mil22 = pairing.miller(Q_ws,
phiP_ws,
ZZ(self.curve.N),
denominator=False)
e2 = pairing.exponentiation(self.curve, mil22[0] / mil22[1])
logging.debug('f_{N, Q}(phiP) = %s', str(mil22))
logging.debug('e(Q, phiP) = %s', str(e2))
if e1 != 1:
if e1 == e2:
return True
if e1 == 1 / e2:
return True
# Pairing equation does not hold
logging.debug('Pairing equation does not hold.')
return False
# e_hat_phiQ_P = 1
logging.debug('e(HatPhiQ, P) = 1.')
return False
def vdf_verif(curve, setup, Q, hat_phiQ) :
'''
INPUT:
* curve the elliptic curve
* setup the setup from the vdf_setup function
* Q the second point of the protocol
* hat_phiQ dual image of Q
OUTPUT:
* true/false depending on the verification
'''
#we just need P and phiP for the moment... [P, curve_prime, curvesPath, kernelsOfBigSteps, phiP] = setup
P, phiP = setup [0], setup[-1]
if not(hat_phiQ.in_curve() and hat_phiQ.is_prime_order_point(curve.N)) :
raise RuntimeError('evaluation step does not give point of the curve of order N')
# this does not depend on the eval answer, and can be computed before the eval
P_ws = P.weierstrass()
phiP_ws = phiP.weierstrass()
#this needs to be computed here
Q_ws = Q.weierstrass()
hat_phiQ_ws = hat_phiQ.weierstrass()
#mil1 = hat_phiQ_ws._miller_(P_ws, ZZ(curve.N))
_Z, mil11 = pairing.miller(hat_phiQ_ws, P_ws, ZZ(curve.N), denominator=False)
e1 = pairing.exponentiation(curve, mil11[0]/mil11[1])
#assert e1 == hat_phiQ_ws.tate_pairing(P_ws, ZZ(curve.N), 2)
#mil2 = Q_ws._miller_(phiP_ws, ZZ(curve.N))
_Z, mil22 = pairing.miller(Q_ws, phiP_ws, ZZ(curve.N), denominator=False)
e2 = pairing.exponentiation(curve, mil22[0]/mil22[1])
#assert e2 == Q_ws.tate_pairing(phiP_ws, ZZ(curve.N), 2)
if e1 != 1 :
if e1 == e2 :
return True
if e1 == 1/e2:
return True
# Pairing equation does not hold
return False
# e_Tr_hat_phiQ_P = 1
return False
def verify(self, P, phiP, Q, Tr_hat_phiQ) :
'''
INPUT:
* P the first point of the protocol
* phiP the image of P
* Q the second point of the protocol
* Tr_hat_phiQ the list of hat_phiQ + frob(hat_phiQ) and hat_phiQ - frob(hat_phiQ)
OUTPUT:
* true/false depending on the verification
'''
if not(Tr_hat_phiQ.in_curve() and Tr_hat_phiQ.x in self.curve.Fp and Tr_hat_phiQ.z in self.curve.Fp) :
raise RuntimeError('evaluation step does not give point of the curve defined over Fp')
# this does not depend on the eval answer, can be computed before the eval
P_ws = P.weierstrass()
phiP_ws = phiP.weierstrass()
#this needs to be computed here
Q_ws = Q.weierstrass()
Tr_hat_phiQ_ws = Tr_hat_phiQ.weierstrass()
logging.debug('Denominator computed')
_Z, mil11 = pairing.miller(Tr_hat_phiQ_ws, P_ws, ZZ(self.curve.N), denominator=True)
e1 = pairing.exponentiation(self.curve, mil11[0]/mil11[1])
logging.debug('f_{N, TrhatphiQ}(P) = %s', str(mil11))
logging.debug('e(TrHatPhiQ, P) = %s', str(e1))
_Z, mil22 = pairing.miller(Q_ws, phiP_ws, ZZ(self.curve.N), denominator=True)
e2_squared = pairing.exponentiation(self.curve, mil22[0]/mil22[1])**2
logging.debug('f_{N, Q}(phiP) = %s', str(mil22))
logging.debug('e(Q, phiP)² = %s', str(e2_squared))
if e1 != 1 :
if e1 == e2_squared :
return True
if e1 == 1/e2_squared:
return True
# Pairing equation does not hold
logging.debug('Pairing equation does not hold.')
return False
# e_Tr_hat_phiQ_P = 1
logging.debug('e(TrHatPhiQ, P) = 1.')
return False
def vdf_verif(c, setup, Q, Tr_hat_phiQ):
'''
INPUT:
* c the elliptic curve
* setup the setup from the vdf_setup function
* Q the second point of the protocol
* Tr_hat_phiQ the list of hat_phiQ + frob(hat_phiQ) and hat_phiQ - frob(hat_phiQ)
OUTPUT:
* true/false depending on the verification
'''
[P, c_prime, curvesPath, kernelsOfBigSteps, phiP] = setup
if not (Tr_hat_phiQ.in_curve() and Tr_hat_phiQ.x in c.Fp
and Tr_hat_phiQ.z in c.Fp):
raise RuntimeError(
'evaluation step does not give point of the curve defined over Fp')
# this does not depend on the eval answer, can be computed before the eval
P_ws = P.weierstrass()
phiP_ws = phiP.weierstrass()
Q_ws = Q.weierstrass()
Tr_hat_phiQ_ws = Tr_hat_phiQ.weierstrass()
'''working
print('weil')
print(Tr_hat_phiQ_ws.weil_pairing(P_ws, ZZ(c.N)))
print(Q_ws.weil_pairing(phiP_ws, ZZ(c.N))**2)
print(Q_ws.weil_pairing(phiP_ws, ZZ(c.N))**(-2))
print('tate')
print(Tr_hat_phiQ_ws.tate_pairing(P_ws, ZZ(c.N), 2))
print(Q_ws.tate_pairing(phiP_ws, ZZ(c.N), 2)**2)
print(Q_ws.tate_pairing(phiP_ws, ZZ(c.N), 2)**(-2))
'''
'''not working
print('ate')
print(Tr_hat_phiQ_ws.ate_pairing(P_ws, ZZ(c.N), 2, ZZ(-2*c.p)))
print(Q_ws.ate_pairing(phiP_ws, ZZ(c.N), 2, ZZ(-2*c.p))**2)
print(Q_ws.ate_pairing(phiP_ws, ZZ(c.N), 2, ZZ(-2*c.p))**(-2))
'''
#mil1 = Tr_hat_phiQ_ws._miller_(P_ws, ZZ(c.N))
_Z, mil11 = pairing.miller(Tr_hat_phiQ_ws, P_ws, ZZ(c.N), denominator=True)
#assert mil1**((ZZ(c.p)**2-1)/ZZ(c.N)) == Tr_hat_phiQ_ws.tate_pairing(P_ws, ZZ(c.N), 2)
e1 = pairing.exponentiation(c, mil11[0] / mil11[1])
#assert e1 == Tr_hat_phiQ_ws.tate_pairing(P_ws, ZZ(c.N), 2)
#mil2 = Q_ws._miller_(phiP_ws, ZZ(c.N))
_Z, mil22 = pairing.miller(Q_ws, phiP_ws, ZZ(c.N), denominator=True)
#assert mil2 == mil22[0]/mil22[1]
e2_squared = pairing.exponentiation(c, mil22[0] / mil22[1])**2
#assert e2_squared == Q_ws.tate_pairing(phiP_ws, ZZ(c.N), 2)**2
if e1 != 1:
if e1 == e2_squared:
return True
if e1 == 1 / e2_squared:
return True
# Pairing equation does not hold
return False
# e_Tr_hat_phiQ_P = 1
return False